Law Firm Hands Over $500k to Email Scammers

Attorneys in Los Angeles Superior Court heard an unusual warning from the bench recently: don’t hand over your cash to hackers. Last week, Judge John Shepard Wiley warned lawyers that their colleagues had been duped into turning over half a million dollars to email scammers, rather than sending the cash to the wage and hour class action settlement fund for which it was intended.

“A defense firm apparently received what it thought were emails from an administrator, a well-known administrator, Rust [Consulting Inc.], instructing it to wire money to such and such address,” Judge Wiley warned, according to a report by Law360’s Bonnie Eslinger. “The defense firm apparently told the bank to wire the money to this address, at which point the money disappeared.”

The case highlights the damage email scams can enact on unsuspecting lawyers—and how easy it can be for a hacker to walk away with thousands of dollars in stolen settlement funds.

Hackers Are Phishing For Lawyers

Email scams are one of the most common and successful forms of hacking. In a typical “phishing” attack, for example, hackers impersonate reputable companies or individuals in order to trick recipients into downloading malware, handing over money, or revealing sensitive information. Such an attack may involve an email purportedly from a trusted source; the fooled recipient then downloads an attachment or follows a malicious link, resulting in malware infecting their computer, creating a foothold for hackers to leverage. “Pretexting” is a related approach, in which hackers engage in back-and-forth emails with the target, pretending to be someone they are not.

The more valuable the target, the more sophisticated the scam may be. Russian hackers, lead by the pseudonymous “Oleras,” reportedly put together a list of 50 law firms last year, looking for M&A attorneys that may be susceptible to phishing. (The key, the hackers decided, was vanity: attorneys who listed every award and honor would be most likely to fall for a phishing email wrapped in fawning language.)

The investment seems to have paid off, as the group was “pretty much happy and satisfied with the campaign,” according to Vitali Kremez, the cybersecurity researcher who uncovered Oleras’s scheme.

Half-a-Million Dollars, Handed Over to the Wrong Party

But while Oleras’s email scam was focused on acquiring material, nonpublic business information for insider trading purposes, the scam that’s scaring attorneys in Los Angeles seems to have been more convoluted.

The case involved wage and hour claims by golf course employees who say they were denied overtime pay. Last October, the court approved a $600,000 settlement, with the lion’s share of that to be paid in one initial $500,000 transfer to Rust Consulting, the settlement administrator.

Over several months, Rust emailed the defense lawyers asking when the payment would be made, but the defense attorneys said they did not receive those inquiries. Rust, however, did receive responses offering excuses for the delay—responses that were apparently sent directly from the scammers.

Then, a few weeks before the deadline for the first payment, an email purportedly from Rust arrived in the defense attorneys’ inbox, providing wiring instructions. From Law360:

“Not knowing that the email and wire information had been sent by a different sender, [the attorney] forwarded the email with the SunTrust wire information to defendant’s bank, Open Bank,” a joint statement of parties filed with the court says. “Open Bank wired $500,000 to the SunTrust account.”

It wasn’t until March that the theft was exposed, after Rust successfully contacted the defense attorneys by email.

The FBI is currently investigating the missing half million, while the golf course owners have paid $300,000 more to the settlement fund, with the remaining $300,000 expected in the upcoming days.

Not the First Settlement Email Scam

This isn’t the first time attorneys have been tricked into sending settlement funds to the wrong party. Last August, for example, the U.S. District Court of the Eastern District of Virginia weighed in on a similar situation. There, an employment discrimination lawsuit against Denny’s ended in a $65,000 settlement. The plaintiff only received $2,000 of that, however. The rest went to hackers.

The email used by the plaintiff’s attorney, a Yahoo.com account, was compromised throughout the course of the litigation, it turns out. After the initial $2,000 had been paid, an email from the attorney’s account instructed Denny’s lawyers to send the remainder to an account in London—but the email wasn’t sent by the attorney. Two days later, a call between the parties revealed that the money had been wired to hackers. Worse, it was too late to claw back the funds.

The plaintiff later moved to enforce the settlement, arguing that the defense attorneys should be held responsible for the missing funds. The court, however, did not agree. The attorney had known in advance that a malicious third party was targeting the funds. His client had emailed him a few days before the settlement was stolen, instructing the attorney to send the money to the same London account. The attorney spoke to the client and discovered the fraud, but did not inform opposing counsel. Indeed, he appears to have done nothing but delete the email.

As he failed to exercise “ordinary care,” the court ruled, the attorney was left to “bear the losses to which his failure substantially contributed.”

Meanwhile, in Los Angeles, Tagore Subramaniam, counsel for the golf course workers, says that the scam could have been avoided with a simple phone call. “This could have been resolved if when receiving that email the defense attorney called the administrator to confirm that they had the right wiring account number and the administrator could have signed off on that,” he told Law360. “If that were to have occurred, this situation would not have resulted.”